Re: Empty but existing resource | Re: SETTINGS_MIXED_SCHEME_PERMITTED | Re: I-D Action: draft-ietf-httpbis-http2-encryption-07.txt from Martin Thomson on 2016-10-07 (ietf-http-wg@w3.org from October to December 2016)

From: Martin Thomson <martin.thomson@gmail.com>
Date: Fri, 7 Oct 2016 19:34:02 +1100
To: Mike Bishop <Michael.Bishop@microsoft.com>
Cc: Kari Hurtta <hurtta-ietf@elmme-mailer.org>, Patrick McManus <mcmanus@ducksong.com>, HTTP working group mailing list <ietf-http-wg@w3.org>
Message-ID: <CABkgnnXo8G0ZhfaZ6=C6JkkLRNOWhf6TANfL0aF29i4+D1FVoA@mail.gmail.com>

On 7 October 2016 at 16:49, Mike Bishop <Michael.Bishop@microsoft.com> wrote:
> The client isn't requesting additional functionality via Opp-Sec, but
> gaining a way to double-check the alternative's intent/ability to play along
> when the initial reference was vulnerable to meddling.  (Unless we're
> proposing to update RFC 7838 by adding that MUST?)

Nah, updates aren't necessary, we're just looking for belts AND braces
on this stuff.  We have some evidence that scheme isn't routinely
looked at in the critical parts of the stack, so this is in response
to that.  Yep, it's paranoid.

Received on Friday, 7 October 2016 08:34:30 UTC